Abstract
The Internet of Things (IoT), an emerging global network of uniquely identifiable embedded computing devices within the existing Internet infrastructure, is transforming how we live and work by increasing the connectedness of people and things on a scale that was once unimaginable. In addition to facilitated information and service exchange between connected objects, enhanced computing power and analytic capabilities of individual objects, and increased interaction between objects and their environments, the IoT also raises new security and privacy challenges. Hardware trust across the IoT supply chain is the foundation of IoT security and privacy. Two major supply chain issues—disappearance/theft of authentic IoT devices and appearance of inauthentic ones—have to be addressed to secure the IoT supply chain and lay the foundation for further security and privacy-defensive measures. Comprehensive solutions that enable IoT device authentication and traceability across the entire supply chain (i.e., during distribution and after being provisioned) need to be established. Existing hardware, software, and network protection methods, however, do not address IoT supply chain issues. To mitigate this shortcoming, we propose an RFID-enabled solution called ReSC that aims at defending the IoT supply chain. By incorporating three techniques—one-to-one mapping between RFID tag identity and control chip identity; unique tag trace, which records tag provenance and history information; and neighborhood attestation of IoT devices—ReSC is resistant to split attacks (i.e., separating tag from product, swapping tags), counterfeit injection, product theft throughout the entire supply chain, device recycling, and illegal network service access (e.g., Internet, cable TV, online games, remote firmware updates). Simulations, theoretical analysis, and experimental results based on a printed circuit board (PCB) prototype demonstrate the effectiveness of ReSC. Finally, we evaluate the security of our proposed scheme against various attacks.
- Ala Al-Fuqaha, Mohsen Guizani, Mehdi Mohammadi, Mohammed Aledhari, and Moussa Ayyash. 2015. Internet of things: A survey on enabling technologies, protocols, and applications. IEEE Communications Surveys 8 Tutorials 17, 4 (2015), 2347--237.Google Scholar
- Luigi Atzori, Antonio Iera, and Giacomo Morabito. 2010. The internet of things: A survey. Computer Networks 54, 15 (2010), 2787--2805. Google ScholarDigital Library
- Aydin Aysu, Shravya Gaddam, Harsha Mandadi, Carol Pinto, Luke Wegryn, and Patrick Schaumont. 2016. A design method for remote integrity checking of complex PCBs. In 2016 Design, Automation 8 Test in Europe Conference 8 Exhibition (DATE’16). IEEE, 1517--1522. Google ScholarDigital Library
- Paramvir Bahl and Venkata N. Padmanabhan. 2000. RADAR: An in-building RF-based user location and tracking system. In Proceedings of the 19th Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings (INFOCOM’00). Vol. 2. IEEE, 775--784.Google Scholar
- Carnegie Mellon University. 1982. The “Only” Coke Machine on the Internet. Retrieved from https://www.cs.cmu.edu/∼coke/history_long.txt?reposted_at=2015-09-8.Google Scholar
- Hung-Yu Chien and Che-Hao Chen. 2007. Mutual authentication protocol for RFID conforming to EPC class 1 generation 2 standards. Computer Standards 8 Interfaces 29, 2 (2007), 254--259. Google ScholarDigital Library
- Christopher Holmes. 2015. Designing and Implementing the Factory of the Future at Mahindra Vehicle Manufacturers. (April 2015). Retrieved from http://www.cisco.com/c/dam/en/us/solutions/collateral/industry-solutions/idc-manufacturing.pdf.Google Scholar
- Tim Cicerchi. 2014. High-Capacity RFID Tags. Retrieved from http://blog.pepperl-fuchs.us/high-capacity-rfid-tags.Google Scholar
- Cisco. 2014. How Cisco Transformed Its Supply Chain. (May 2014). Retrieved from http://www.cisco.com/c/en/us/solutions/collateral/enterprise/cisco-on-cisco/cs-boit-05272014-supply-chain.pdf.Google Scholar
- John Coyle, C. Langley, Robert Novack, and Brian Gibson. 2012. Supply Chain Management: A Logistics Perspective. Cengage Learning.Google Scholar
- Joan Daemen and Vincent Rijmen. 1999. AES proposal: Rijndael.Google Scholar
- Art Dahnert. 2011. HawkEyes: An advanced IP geolocation approach: IP geolocation using semantic and measurement based techniques. In 2011 2nd Worldwide Cybersecurity Summit (WCS’11). IEEE, 1--3.Google Scholar
- Tim Dierks. 2008. The transport layer security (TLS) protocol version 1.2. Retrieved from https://www.ietf.org/rfc/rfc5246.txt.Google Scholar
- Ziqian Dong, Rohan D. W. Perera, Rajarathnam Chandramouli, and K. P. Subbalakshmi. 2012. Network measurement based modeling and optimization for IP geolocation. Computer Networks 56, 1 (2012), 85--98. Google ScholarDigital Library
- Robin Doss, Wanlei Zhou, Saravanan Sundaresan, Shui Yu, and Longxiang Gao. 2012. A minimum disclosure approach to authentication and privacy in RFID systems. Computer Networks 56, 15 (2012), 3401--3416. Google ScholarDigital Library
- Dave Evans. 2011. The internet of things: How the next evolution of the internet is changing everything. CISCO White Paper 1 (2011), 1--11.Google Scholar
- FUJITSU. 2014. World’s Largest-Capacity 64KByte FRAM Metal Mount RFID Tag. Retrieved from http://www.fujitsu.com/downloads/AIT/ait-downloads-64kbtag.pdf.Google Scholar
- Bamba Gueye, Artur Ziviani, Mark Crovella, and Serge Fdida. 2006. Constraint-based geolocation of internet hosts. Networking, IEEE/ACM Transactions on 14, 6 (2006), 1219--1232. Google ScholarDigital Library
- Ujjwal Guin, Xuehui Zhang, Domenic Forte, and Mohammad Tehranipoor. 2014. Low-cost on-chip structures for combating die and IC recycling. In Proceedings of the 51st Annual Design Automation Conference. ACM, 1--6. Google ScholarDigital Library
- JungHoon Ha, Sangjae Moon, Jianying Zhou, and Jaecheol Ha. 2008. A new formal proof model for RFID location privacy. In 2008 13th European Symposium on Research in Computer Security Computer Security (ESORICS’08). Springer, 267--281. Google ScholarDigital Library
- Dirk Henrici and Paul Muller. 2004. Hash-based enhancement of location privacy for radio-frequency identification devices using varying identifiers. In Proceedings of the Second IEEE Annual Conference on Pervasive Computing and Communications Workshops, 2004. IEEE, 149--153. Google ScholarDigital Library
- Daniel E. Holcomb, Wayne P. Burleson, and Kevin Fu. 2009. Power-up SRAM state as an identifying fingerprint and source of true random numbers. IEEE Transactions on Computers 58, 9 (2009), 1198--1210. Google ScholarDigital Library
- Alison Hosey, Md. Tauhidur Rahman, Kan Xiao, Domenic Forte, and Mohammad Tehranipoor. 2014. Advanced analysis of cell stability for reliable SRAM PUFs. In 2014 IEEE 23rd Asian Test Symposium (ATS’14). IEEE, 348--353. Google ScholarDigital Library
- Ling Hu and Cyrus Shahabi. 2010. Privacy assurance in mobile sensing networks: Go beyond trusted servers. In 2010 8th IEEE International Conference on Pervasive Computing and Communications Workshops (PERCOM Workshops’10). IEEE, 613--619.Google Scholar
- EPCglobal Inc. 2015. EPC Radio-Frequency Identity Protocols Generation-2 UHF RFID Protocol for Communications at 860 MHz - 960 MHz Version 2.0.1. Retrieved from https://www.gs1.org/sites/default/files/docs/epc/Gen2_Protocol_Standard.pdf.Google Scholar
- Yuval Ishai, Manoj Prabhakaran, Amit Sahai, and David Wagner. 2006. Private circuits II: Keeping secrets in tamperable circuits. In Advances in Cryptology (EUROCRYPT’06). Springer, 308--327. Google ScholarDigital Library
- Don Johnson, Alfred Menezes, and Scott Vanstone. 2001. The elliptic curve digital signature algorithm (ECDSA). International Journal of Information Security 1, 1 (2001), 36--63. Google ScholarDigital Library
- Arun Kanuparthi, Ramesh Karri, and Sateesh Addepalli. 2013. Hardware and embedded security in the context of internet of things. In Proceedings of the 2013 ACM Workshop on Security, Privacy 8 Dependability for Cyber Vehicles. ACM, 61--64. Google ScholarDigital Library
- Jonathan Katz and Yehuda Lindell. 2014. Introduction to Modern Cryptography. CRC Press. Google ScholarDigital Library
- Ethan Katz-Bassett, John P. John, Arvind Krishnamurthy, David Wetherall, Thomas Anderson, and Yatin Chawathe. 2006. Towards IP geolocation using delay and topology measurements. In Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement. ACM, 71--84. Google ScholarDigital Library
- Kerry Bernstein. 2014. Supply Chain Hardware Integrity for Electronics Defense (SHIELD). (March 2014). Retrieved from http://www.darpa.mil/program/supply-chain-hardware-integrity-for-electronics-defense.Google Scholar
- Farinaz Koushanfar and Ramesh Karri. 2014. Can the SHIELD protect our integrated circuits? In 2014 IEEE 57th International Midwest Symposium on Circuits and Systems (MWSCAS’14). IEEE, 350--353.Google ScholarCross Ref
- Eduard Kovacs. 2015. Attackers Use Stolen Credentials to Hack Cisco Networking Devices. (August 2015). Retrieved from http://www.securityweek.com/attackers-use-stolen-credentials-hack-cisco-networking-devices.Google Scholar
- Hugo Krawczyk, Ran Canetti, and Mihir Bellare. 1997. HMAC: Keyed-hashing for message authentication.Google Scholar
- Mikko Lehtonen, Daniel Ostojic, Alexander Ilic, and Florian Michahelles. 2009. Securing RFID systems by detecting tag cloning. In Pervasive Computing. Springer, 291--308. Google ScholarDigital Library
- James A. Muir and Paul C. Van Oorschot. 2009. Internet geolocation: Evasion and counterevasion. ACM Computing Surveys (CSUR) 42, 1 (2009), 4. Google ScholarDigital Library
- NXP Semiconductors. 2014. I2C Bus Specification and User Manual. (April). Retrieved from https://www.nxp.com/docs/en/user-guide/UM10204.pdf.Google Scholar
- Venkata N. Padmanabhan and Lakshminarayanan Subramanian. 2001. An investigation of geographic mapping techniques for internet hosts. In ACM SIGCOMM Computer Communication Review, Vol. 31. ACM, 173--185. Google ScholarDigital Library
- Adrian Perrig, John Stankovic, and David Wagner. 2004. Security in wireless sensor networks. Communications of the ACM 47, 6 (2004), 53--57. Google ScholarDigital Library
- Proofpoint. 2014. Proofpoint Uncovers Internet of Things (IoT) Cyberattack. (January). Retrieved from http://investors.proofpoint.com/releasedetail.cfm?releaseid=819799.Google Scholar
- Jeyavijayan Rajendran, Garrett S. Rose, Ramesh Karri, and Miodrag Potkonjak. 2012. Nano-PPUF: A memristor-based security primitive. In 2012 IEEE Computer Society Annual Symposium on VLSI (ISVLSI’12). IEEE, 84--87. Google ScholarDigital Library
- Shahid Raza, Linus Wallgren, and Thiemo Voigt. 2013. SVELTE: Real-time intrusion detection in the internet of things. Ad Hoc Networks 11, 8 (2013), 2661--2674. Google ScholarDigital Library
- Donald G. Robinson, Michael W. Geatz, and Michael J. Corcoran. 1996. Retail theft prevention and information device. (Dec. 31 1996). US Patent 5,589,820.Google Scholar
- Rodrigo Roman, Jianying Zhou, and Javier Lopez. 2013. On the features and challenges of security and privacy in distributed internet of things. Computer Networks 57, 10 (2013), 2266--2279. Google ScholarDigital Library
- Steven Shannon. 2001. Access control of networked data. (May 15, 2001). US Patent 6,233,618.Google Scholar
- G. Edward Suh and Srinivas Devadas. 2007. Physical unclonable functions for device authentication and secret key generation. In Proceedings of the 44th Annual Design Automation Conference. ACM, 9--14. Google ScholarDigital Library
- Berk Sunar, William J. Martin, and Douglas R. Stinson. 2007. A provably secure true random number generator with built-in tolerance to active attacks. IEEE Transactions on Computers 56, 1 (2007), 109--119. Google ScholarDigital Library
- Mohammad Tehranipoor and Farinaz Koushanfar. 2010. A survey of hardware trojan taxonomy and detection. IEEE Design 8 Test of Computers 27, 1 (2010), 10--25. Google ScholarDigital Library
- John Paul Walters, Zhengqiang Liang, Weisong Shi, and Vipin Chaudhary. 2007. Wireless sensor network security: A survey. Security in Distributed, Grid, Mobile, and Pervasive Computing 1 (2007), 367.Google Scholar
- Chonggang Wang, Mahmoud Daneshmand, Kazem Sohraby, and Bo Li. 2009. Performance analysis of RFID generation-2 protocol. IEEE Transactions on Wireless Communications 8, 5 (2009), 2592--2601. Google ScholarDigital Library
- K. Xiao, D. Forte, Y. Jin, R. Karri, S. Bhunia, and M. Tehranipoor. 2016. Hardware trojans: Lessons learned after one decade of research. ACM Transactions on Design Automation of Electronic Systems (TODAES) 22, 1 (2016), 6. Google ScholarDigital Library
- Kan Xiao, Domenic Forte, and Mohammad Tehranipoor. 2014. A novel built-in self-authentication technique to prevent inserting hardware Trojans. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 33, 12 (2014), 1778--1791.Google ScholarCross Ref
- Bo Yang, Kaijie Wu, and Ramesh Karri. 2004. Scan based side channel attack on dedicated hardware implementations of data encryption standard. In Proceedings of the International Test Conference, 2004 (ITC’04). IEEE, 339--344. Google ScholarDigital Library
- Jeongkyu Yang, Jaemin Park, Hyunrok Lee, Kui Ren, and Kwangjo Kim. 2005. Mutual authentication protocol. In Workshop on RFID and Lightweight Crypto.Google Scholar
- Kun Yang, Domenic Forte, and Mark Tehranipoor. 2015. ReSC: RFID-enabled supply chain management and traceability for network devices. In Radio Frequency Identification: 11th International Workshop (RFIDsec’15), Revised Selected Papers, Vol. 9440. Springer, 32. Google ScholarDigital Library
- Lei Yang, Yekui Chen, Xiang-Yang Li, Chaowei Xiao, Mo Li, and Yunhao Liu. 2014. Tagoram: Real-time tracking of mobile RFID tags to high precision using COTS devices. In Proceedings of the 20th Annual International Conference on Mobile Computing and Networking. ACM, 237--248. Google ScholarDigital Library
- Ning Ye, Yan Zhu, Ru-Chuan Wang, Reza Malekian, and Lin Qiao-min. 2014. An efficient authentication and access control scheme for perception layer of internet of things. Applied Mathematics 8 Information Sciences 8, 4 (2014), 1617.Google Scholar
- Shucheng Yu, Kui Ren, and Wenjing Lou. 2007. A privacy-preserving lightweight authentication protocol for low-cost RFID tags. In IEEE Military Communications Conference (MILCOM’07). IEEE, 1--7.Google ScholarCross Ref
- Davide Zanetti, Srdjan Capkun, and Ari Juels. 2013. Tailing RFID tags for clone detection. In NDSS.Google Scholar
- David Zanetti, Leo Fellmann, and Srdjan Capkun. 2010. Privacy-preserving clone detection for RFID-enabled supply chains. In 2010 IEEE International Conference on RFID. IEEE, 37--44.Google ScholarCross Ref
- Tobias Zillner and Sebastian Strobl. 2015. Zigbee exploited - The good, the bad and the ugly. In Black Hat USA 2015.Google Scholar
Index Terms
- ReSC: An RFID-Enabled Solution for Defending IoT Supply Chain
Recommendations
CDTA: A Comprehensive Solution for Counterfeit Detection, Traceability, and Authentication in the IoT Supply Chain
The Internet of Things (IoT) is transforming the way we live and work by increasing the connectedness of people and things on a scale that was once unimaginable. However, the vulnerabilities in the IoT supply chain have raised serious concerns about the ...
Protecting Endpoint Devices in IoT Supply Chain
ICCAD '15: Proceedings of the IEEE/ACM International Conference on Computer-Aided DesignThe Internet of Things (IoT), an emerging global network of uniquely identifiable embedded computing devices within the existing Internet infrastructure, is transforming how we live and work by increasing the connectedness of people and things on a ...
Session-based security enhancement of RFID systems for emerging open-loop applications
Radio frequency identification (RFID) is an important technique used for automatic identification and data capture. In recent years, low-cost RFID tags have been used in many open-loop applications beyond supply chain management, such as the tagging of ...
Comments